Will CSOs become CROs in the future?

Is the chief security officer title destined to evolve into one that is about more than just security? Many CSOs have seen their responsibilities morph from defending an organization, to calculating an organization's risk profile as well

Few would deny the chief security officer role has evolved quite a bit in recent years. At many large companies, the heads of both physical and information security now report in to the same person, an enterprise CSO. The pace of change for the function is accelerating along with the ever-changing nature of threats.

Today, many believe CSOs will morph, sooner rather than later, into chief risk officers (CROs), monitoring and mitigating enterprise risks, including those relating to information security and facilities (but excluding financial risks, which are covered by the more traditional CRO function in large companies). At a high level, the new responsibilities include understanding your company's risk profile and risk appetite and then mitigating the risks accordingly.

Greg Thompson, vice president of enterprise security services and deputy CISO at Torontos Scotia Bank, already sees his role evolving into something like head of operational risk management. Scotia is Canada's third largest bank.

"The writing is on the wall," said Thompson. "Ten years ago this role was highly operational. We had to get better at operationalizing vulnerability management and putting the right controls in place."

As a CISO in heavily regulated industry in a risk-averse country, Thompson says he is seeing ever-greater reporting requirements and more need for expertise in operational risk management. He now tracks and manages the full gamut of risks other than financial: fraud, hackers, hacktivists, breaches of privacy, configuration risk, risk of attack by nation states, reputational risk, facilities risk, IT process risk, compliance risk, supplier/service risk.

"We used to just look at these as security risk indicators. Now, they are key risk indicators. We now look beyond information security and try to understand the rest of the picture," he said, adding that the regulatory climate is driving some of this new emphasis.

The new metrics

Thompson is excited at the prospect of his role expanding, but he feels there is a lack of appropriate metrics to help him define and track enterprise risks.

"We need to find a set of metrics that speak to risk in real terms. There are things like mean time to patch, how many open audit findings. But that's not enough. Defining the measurements is the ultimate challenge," he said.

Right now, his organization is working on developing baselines that will be trustworthy markers now and in the future.

Relevant metrics are changing right along with the CSO role. Thompson has seen some risk metrics change in recent years. For example, the information security function at Scotia Bank used to use "age of vulnerability" as an indicator of the level of risk under the assumption that the longest-standing vulnerabilities were riskier than new ones. Now, the bank has matured its risk analysis not to focus on the age of the vulnerability but rather the threat agents that exist to exploit the vulnerability.

"I now consider the one that has active threats to be higher risk," said Thompson.

Thompson believes that whether or not one's title explicitly includes the "R," every CSO takes what he calls a "risk-related perspective" today, out of necessity. Verisign CSO Danny McPherson agrees, saying his approach is "intelligence-driven security." What that means is McPherson considers the context in which Verisign of Reston, Va., operates. "We want to use our best resources to make sure our high-value assets are protected," he said.

McPherson and many others believe enterprise risk management should be a cross-functional phenomenon.

"You need to break down those information silos. It's about connecting the dots for the business. How does a new product, a new press release, a new competitor —how do these affect the company's threat level, and how do we get back to an acceptable level of risk?" he said. "Given the global nature of business today, it becomes harder and harder to wrap your arms around that. How do we invest intelligently? How do we protect ourselves and our customers in the most effective way? Risk management needs to go beyond just checking off boxes that are required by regulations. "

The only way you can protect the enterprise, McPherson believes, is by understanding the context and the landscape in which your business operates.

"If you can leverage that information and collect it and provide context, you will be more agile and adaptive as a result of that. And risk level goes down."

To Scotia Bank's Thompson, given the Internet and the explosion in digital information, information security touches every aspect of business today. And he is pleased to be helping his company to take abreast of the full range of information risks its faces today.

It will surprise few that CSOs who already have a strong connection to the business are already well positioned to embrace the CRO role described here. Thompson and McPherson are both in constant contact with their business counterparts and enjoy that aspect of their jobs.

"I like to be the jack of all trades," said McPherson. "I love getting a handle on the business context and contributing to the strategic direction. It is so critical to have those feedback loops, to sit down together and challenge each other's assumptions."